[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 742
  • Last Modified:

Guessing we need 2 vlan's and a (inter-vlan) router. (or perhaps we can setup a pc/server with 3 networkcards that is cheaper...)

Hi,

This week we came to the conclusion that we needed 2 (v)lan's within our company.
there are poeple who work in the office and machines we sell and devolp that also need to be attached to the network.

Since R&D wants to connect to those machines to do firmware upgrading/copying stuff,  vlan seemed to be the answer.
R&D wants its own subnet with its own dhcp server but to be able to connect to all the machines in the other subnet.
Since R&D has its own department in the office and want to able to connect to the company network but also with the machines we needed to find a solution.
a solution where for example dhcp doens't interfear with the other subnet, machines can work idenpendtly but can connect to the other subnet and maybe internet to later...
Also the other way arround and maybe do some restriction in network ports and hosts or so...


currently we have got 4 main switches and a cisco pix 515 firewall that supports VLAN's and has 3 interfaces (with one expension slot)
1 x 3com 1100 (10mbit) (managed layer2 with vlan support)
1 x 3com 3300XM (10/100mbit) (managed layer2 with vlan support)
3 x 3com baseline switches unmanaged/ no vlan support 10/100.

4x 3com unmanagend office connect switches on the factory floor

Each network unit in the subnets must have its gateway on that subnet and since our pix firewall does the gatway work now, that needs to be re-posionted also.
The subnets need to be routed. how can we achieve this?  

Since we only want 2 vlans/subnets do we still need a layer3 switch or router that is 2000 euro or can this be done easilyer and cheaper?
Maybe a windows 2000/2003 server that has routing capabilties and what if we put 3 network cards in that machine...

i guess we can use the older 1100 en 3300XM 3com switches. we are willing to sell those basslines switches and go for something new of this is nessary.
the 2 current vlan switches have a total of 48 ports together now
Most our outlets are directly patched to our main switches but there a few switches in the factory that are behind the main swiches.
If all those network units need to be on the factory subnet, keeping those old switches is ok i think.

What is the best routing solution for 2 vlan's and routing to the internet.?
Can a layer 3 switch do this or is a more advanced solution needed?
and also, what is the best and cheapest way? (windows/linux server or so...)?

Best Regards.
Rick

0
Rick
Asked:
Rick
  • 5
  • 5
  • 2
1 Solution
 
wingateslCommented:
The pix can route packets between two interfaces. just set up the other network as a DMZ. set up your vlans as you wish with the current switches. then plug one vlan port into  each of the pix ports and set the access lists to allow traffic to pass between the two networks. if you are already using the DMZ then I would purchase the 4 port FE card for the pix.
Shawn
0
 
wingateslCommented:

 an example
   
               PC (Vlan 1) 192.168.1.2           PC (Vlan 15) 10.1.1.2
                      |                                          |
                      |                                          |
                       ----------SWITCH---------------
                                    |         |
                                    |         |
                                  Vlan1    Vlan2
                                    |         |
              192.168.1.1   E1        E2  10.1.1.1
                                     \      /
                                       Pix
                                        |
                                       E0
                                        |
                                       Internet


0
 
lrmooreCommented:
A layer 3 switch would be highly preferable over using the firewall as a router. Remember that this PIX was designed to be a firewall and not a router. However, if you update the PIX to ver 7.x then you can enable basic routing between vlan interfaces of same security level. As long as the switch that connects to the PIX is vlan capable using 802.1q tagging, you should be OK. All those unmanged switches need to plug into a vlan capable switch that has the uplink port in the appropriate vlan.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
RickAuthor Commented:
ok,

to use version 7.x i have to upgrade the memory of the pix and software.
The dmz is not in use, but i want keep that free for the near future.
How much would an expension card cost? anyone knows?

And at what level do level3 switches start?

0
 
lrmooreCommented:
Depending on which type license you have on the PIX, you may not have to upgrade the memory.
If you have a Restricted license you only need 32Mb
But you do need a valid Smartnet support contract in order to download the software
Can you post result of 'show version' from the PIX?

Cisco Layer 3 switches start at $3000 and up

This LInksys model sells for around $1200
http://www1.linksys.com/Products/product.asp?prid=500&scid=40
0
 
RickAuthor Commented:
A friend of mine supplies me the new cisco pix images :-)
earlyer, i have read that to be able to run 7.x i have to add 32MB more..

----------------------------------------


FW-HMECH-PUR-01> show version

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

FW-HMECH-PUR-01 up 19 days 3 hours

Hardware:   PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000d.6585.79d2, irq 10
1: ethernet1: address is 000d.6585.79d3, irq 11
2: ethernet2: address is 0002.b3b5.bd66, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 3
Maximum Interfaces:          5
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.
0
 
lrmooreCommented:
Your PIX is fine. 32Mb with (R) license is all you need!
0
 
RickAuthor Commented:
Maximum Physical Interfaces: 3
does that mean i cant add more with our current license?
0
 
lrmooreCommented:
Correct. Restricted license means only 3 physical interfaces, but you can always add 2 more logical vlan interfaces for total of 5
0
 
RickAuthor Commented:
my boss wont go for those layer 3 switches i guess.
so using the pix will be a fine option then

one last question:

behind the pix we use a layer 2 2024 (for our servers gigabyte) linksys switch that is capable of vlan/tagging and so.

from that switch it goes to our 3com vlan switches in our patch room. i've read that some brands use different standaards in some sort. maybe this is for automatic deployment and configuration for a MAC based vlan, but basic port based vlan wont give in incompability problems would it?

:-)

thanks

0
 
lrmooreCommented:
As long as they are all 802.1q vlan capable, they will be interoperable
0
 
RickAuthor Commented:
The linksys srw2024 GB switch we use for our server, is a layer 3 switch i found out!

Does this enable me having 2 VLAN's and routing between them or do all switches need to be layer 3 then?

If i setup 2VLAN's on that layer3 switch and assign bot VLAN's to one port (with tagging i guess) then an endstation behind a secondary layer2 vlan switch can connect to both VLAN's won't it? i understand that all other vlan switches need to be configured to...

when i compare this linksys switch to others, its a bit cheaper so its funtions are limited compared to a grownup cisco or 3com switch. Status information about ports/traffic is poor, no graphics or rich history is available

With the VLAN equipement we have, i only see VLAN's based switch outlets/ports...
Is VLAN based on mac address only avaiable on the highend switches that talk to eachother?

Thanks again

Regards
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now